The Green Sheet Online Edition

November 26, 2007 • Issue 07:11:02

Data breaches pique interest

By Travis K. KircherATMMarketplace.com

It's the data-breach scandal that won't die -the 2005 to 2006 TJX data breach that compromised the security of some 45 million debit and credit cards. Details about what is widely regarded as the largest data breach of its kind on record continue to emerge.

Over an 18-month period, which began in July 2005 and ended in December 2006, stolen card numbers have been traced back to customers of TJX Companies Inc., the name behind retail giants such as T.J. Maxx, Marshalls and HomeGoods.

Industry experts believe card data was compromised after it was fraudulently obtained during the transmission of data to card issuers. The cause: a vulnerable and badly secured wireless network, they say, in addition to stored card data at the point of sale - a flub that has prompted MasterCard Worldwide and Visa Inc. to tighten the reins on compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Perpetrators were able to download card information and decrypt it with TJX's decryption key, which they also allegedly illegally obtained. In addition to the debit and credit card numbers, the hackers pulled drivers license information, including names, addresses and Social Security numbers, from several of the customer accounts.

In response to the breach, TJX has agreed to settle with the affected customers who filed a suit against the company.

TJX has offered those consumers the option of cash or vouchers that could be used at TJX stores. That deal is awaiting approval from the judge presiding over the case.
Quests for justice aside, the TJX breach has put a spotlight on the need to secure wireless networks. And as more financial transactions are handled over wireless networks, experts are taking a closer look at what happens after transactions vanish into the ether.

A bigger picture

Which are more secure: wire-line or wireless transactions? Experts seem split on the issue. Wired infrastructures, such as land lines and lease lines, contain transactions, some say, making them more secure. When accessing card data through a system breach, a hacker would only have access to information they can gather after physically tapping the lines. In wireless transactions, hackers need only use a special wireless device to intercept the cellular or Wi-Fi transmission. But making those kinds of generalizations about the security of either transmission method is risky, said Mark Elson, Director of Product Management and Architecture for Phoenix Interactive Design Inc.

"I guess both can be compromised if the right security mitigation plan is put in place," he said. "There are different ways to infiltrate the system. It's difficult to say which one is more or less secure because some of them are drawing upon the same technology."

The security key, analysts say, is not the method of data transport, but rather the way the transported data is encrypted.

"Whether they were doing it over a land-line or not, the fact was that they had PIN detail that was generally available to anyone who wanted to look at it and knew how to look at it," said Rob Evans, the Director of Industry Marketing for NCR Corp. Evans referred to "basic guidelines" compiled in the PCI DSS, which the major card companies collaboratively designed in December 2004.

The ATM connection

PCI DSS requires that any entity that handles card transactions pass an audit conducted by the card companies to ensure that wireless networks are secure, that all transmissions are encrypted and that card data is not stored on the system. The standard also suggests that networks and systems regularly be tested for security holes.

"Wireless communications have to use an encryption method of a virtual private network, a security sockets layer or one of the other approved PCI technologies," said Chuck Hayes, a Product Manager for Long Beach, Miss.-based ATM manufacturer Triton Systems.

Mark Gamon of Australia's Symstream Technologies Pty. Ltd., which produces a product that converts landline ATMs to cellular ATMs, said his company sends financial-transaction data symbolically and layers its coded transmissions with Triple-DES encryption.

The use of the symbol with a layered-coding approach typically takes at least two hours to hack, Gamon said. And because each transmission uses a different code, fraudsters are never able to use the same transmission key twice. Even if they could get around the coding issue, because each transmission only takes two seconds to move from point A to point B, fraudsters just can't break the encryption fast enough.